In this weekly review of data security incidents, you will find details on the alleged theft of identity cards data in Malaysia and an incident with the cloud storage provider in Hong Kong.

The first incident was a potential tremendous data leakage, which happened in Malaysia. The National Cyber Security Agency in Malaysia investigates rumors of alleged theft of MyKad (Malaysian identity card) data on 17 million Malaysians, while the National Registration Department (NRD) has denied allegations of data breach. Claims of a massive breach first appeared on X (formerly Twitter) on the 3^rd of December. Initially, it was claimed that MyKad data was offered for sale online. Some samples of Malaysian ID cards were presented as proof of breach. MyKad contains such information as:

• Full names
• IC numbers
• Addresses
• Biometrical information (fingerprints)
• Personal photo

Aside from being an ID card, MyKad could also be used as a valid driver’s license, an ATM card, an electronic purse for digital cash, and a public key. Thereby, such information can be used for committing such crimes as identity theft, unauthorized access to financial accounts, and financial fraud.

This breach, if it had actually happened, could be one of the largest leaks of personal data in Malaysia. The National Cyber Security Agency will notify about any future updates regarding the alleged data breach. NACSA's spokesperson urged the public to “avoid spreading unconfirmed reports and only refer to verified information from the official authorities.”

The current incident is not the first case of data leaks among financial institutions in Malaysia. Earlier this year, in July, Malaysia’s largest bank, Maybank, also faced allegations about a potential data breach. Such incidents are highlighting the necessity for proper sensitive data protection and sufficient legislative standards for personal data processing and storage.

The second incident occurred in Hong Kong. According to the statement, dated 9^th December, the Office of the Privacy Commissioner for Personal Data (PCPD) reported its investigation of a personal data breach. Moreover, PCPD states that government bodies failed to implement appropriate measures to protect the personal data of people who passed COVID-19 tests in 2022.

The watchdog had previously alerted officials that information about 17,000 persons is accessible online. According to the report, the problem was caused by a cloud platform called ArcGIS Online. The Electrical and Mechanical Services Department (EMSD) signed a deal with the mentioned service provider. According to the terms of the agreement, the cloud platform had to keep data about COVID-19 tests. EMSD wrongly assumed that personal data would be automatically erased after expiration of the contract by February 2023. In April 2024, EMSD discovered that testing data had not been deleted and still could have been accessed even without logging into the website.

According to the report, leaked data included:

• Names
• Phone numbers
• ID card numbers
• Addresses
• COVID vaccination status

This incident emphasizes the significance of risks related to the use of third-party services. Moreover, the proliferation of cloud services only accentuates the importance of ensuring appropriate and secure data storage, processing, and distribution in compliance with regulators demands.